1.创建 Issuer

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: default
spec:
  selfSigned: {}

2.Certificate（自动生成 TLS 证书）

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: webhook-cert
  namespace: default
spec:
  secretName: webhook-server-cert
  duration: 8760h # 1 year
  renewBefore: 360h
  subject:
    organizations:
      - example.com
  commonName: webhook-service.default.svc
  dnsNames:
    - webhook-service.default.svc
    - webhook-service.default.svc.cluster.local
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer

3. 对以上yaml执行apply,然后查看生成的证书

kubectl get webhook-server-cert

4. 在deploy中挂载证书

volumeMounts:
  - name: tls
    mountPath: /tls
    readOnly: true
volumes:
  - name: tls
    secret:
      secretName: webhook-server-cert

4.根据证书获取ca

kubectl get secret webhook-server-tls -o jsonpath='{.data.ca\.crt}'

或者

kubectl get secret webhook-server-tls -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt

然后把这个值 粘贴进 MutatingWebhookConfiguration 的 caBundle 字段中。

本地开发时，可以导出tls.crt和tls.key

# 导出 tls.crt
kubectl get secret webhook-server-cert  -n default -o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt

# 导出 tls.key
kubectl get secret webhook-server-cert  -n default -o jsonpath='{.data.tls\.key}' | base64 -d > tls.key

5. 创建MutatingWebhookConfiguration webhook（设置 caBundle）

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: pod-mutator
webhooks:
  - name: mpod.kb.io
    clientConfig:
      service:
        name: webhook-service
        namespace: default
        path: /mutate
        port: 443
      caBundle: <填入 webhook-server-cert 中的 ca.crt 内容（Base64）>
    rules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE"]
        resources: ["pods"]
    admissionReviewVersions: ["v1"]
    sideEffects: None

6.创建deploy

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webhook-server
  namespace: default
  labels:
    app: webhook-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webhook-server
  template:
    metadata:
      labels:
        app: webhook-server
    spec:
      containers:
        - name: webhook-server
          image: mesh-webhook:v0.0.1
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              name: https
          volumeMounts:
            - name: webhook-tls
              mountPath: /tls
              readOnly: true
          args:
            - "--tls-cert=/tls/tls.crt"
            - "--tls-key=/tls/tls.key"
      volumes:
        - name: webhook-tls
          secret:
            secretName: webhook-server-cert  # cert-manager 生成的 Secret 名称
---
apiVersion: v1
kind: Service
metadata:
  name: webhook-service
  namespace: default
spec:
  selector:
    app: webhook-server
  ports:
    - port: 443
      targetPort: 8443
      protocol: TCP
      name: https