Cloud / HELM Interview Questions
How do you implement custom validation admission webhooks with Helm?
Admission webhooks enforce custom policies on Kubernetes resources. Helm can deploy them but requires special handling for certificate management.
ValidatingWebhookConfiguration with Helm
# templates/validatingwebhook.yaml
{{- if .Values.webhook.enabled }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "myapp.fullname" . }}-webhook
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "myapp.fullname" . }}-webhook-tls
webhooks:
- name: validate.myapp.example.com
clientConfig:
service:
name: {{ include "myapp.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate
caBundle: {{ .Values.webhook.caBundle }} # Or injected by cert-manager
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["apps"]
apiVersions: ["v1"]
resources: ["deployments"]
failurePolicy: Fail
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 5
{{- end }}
Webhook service and deployment
# templates/webhook-deployment.yaml
apiVersion: v1
kind: Service
metadata:
name: {{ include "myapp.fullname" . }}-webhook
spec:
selector:
app: {{ include "myapp.name" . }}
component: webhook
ports:
- port: 443
targetPort: 8443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "myapp.fullname" . }}-webhook
spec:
replicas: 2
template:
spec:
containers:
- name: webhook
image: {{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag }}
ports:
- containerPort: 8443
volumeMounts:
- name: webhook-tls
mountPath: /certs
volumes:
- name: webhook-tls
secret:
secretName: {{ include "myapp.fullname" . }}-webhook-tls
cert-manager integration for TLS
# templates/certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "myapp.fullname" . }}-webhook-tls
spec:
secretName: {{ include "myapp.fullname" . }}-webhook-tls
dnsNames:
- {{ include "myapp.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
- {{ include "myapp.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
name: {{ .Values.certManager.issuer.name }}
kind: ClusterIssuer
Helm hook for certificate readiness
# templates/ensure-cert.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "myapp.fullname" . }}-cert-check
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
spec:
containers:
- name: check
image: bitnami/kubectl:latest
command:
- sh
- -c
- |
until kubectl get secret {{ include "myapp.fullname" . }}-webhook-tls; do
sleep 2
done
restartPolicy: OnFailure
Testing webhook locally
# Generate CA and cert for testing
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=webhook" -days 10000 -out ca.crt
# Configure webhook with caBundle from ca.crt
Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!
Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.
Invest now!!! Get Free equity stock (US, UK only)!
Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.
The Robinhood app makes it easy to trade stocks, crypto and more.
Webull! Receive free stock by signing up using the link: Webull signup.
More Related questions...
