Deploy a Custom Admission Controller with Terraform

2 hours
  • 5 Learning Objectives

About this Hands-on Lab

In this lab, you are being asked to create a dynamic admission controller with Terraform that will use cert-manager for certificate management. You will use Terraform to first create the ClusterIssuer and the CA root certificate. Next, you will create the webhook certificate. Then you will create a certificate that will be used by the Kubernetes API server. Finally, you will test your dynamic admission controller by creating an annotation with the value of the certificate for the Kubernetes API server.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Prepare the Environment
  1. Install Homebrew.

  2. Follow the instructions in the terminal to complete the install.

  3. Confirm Homebrew was installed successfully.

  4. Install the awscli package.

  5. Install the kubernetes-cli package.

  6. Install the terraform package.

Deploy EKS Cluster
  1. Create a new AWS Access Key and Secret Access Key in AWS console and copy it to a text editor.

  2. Clone the course repo.

  3. Move to the custom-admission-controllers directory.

  4. Move to the eks directory.

  5. Initialize your working directory.

  6. Apply the Terraform configuration.

    Note: This will take 10 to 15 minutes.

  7. Configure AWS CLI.

  8. Configure Kubernetes-CLI to interact with your EKS cluster.

  9. Confirm you are connected to your cluster.

Create the Validating Webhook
  1. Move to the admission-controller directory.

  2. Log in to Docker Hub from the command line.

  3. Update the Makefile file with your Docker Hub username.

  4. Build the webhook.

    Note: This will take 10 to 15 minutes.

  5. Build the Docker image.

  6. Push the Docker image to Docker Hub.

  7. Deploy the certs.

Deploy the Validating Webhook
  1. Move into the terraform directory.

  2. Update the deployment configuration with your Docker image.

  3. Initialize the working directory.

  4. Apply the configuration.

  5. Confirm the webhook is up and available.

Test the Dynamic Admission Controller
  1. Go back a directory.

  2. Create a directory called test-pods.

  3. Move to test-pods directory.

  4. Create three test pods called test-app-1 , test-app-2, and test-app-3.

  5. Add a label called hello = ”world” to test-app-2 and hello = “universe” to test-app-3.

  6. Initialize your working directory.

  7. Apply the webhook configuration.

  8. Confirm that your validating webhook is working:

    • test-app-1 should error and not deploy
    • test-app-2 and test-app-3 should deploy without issue

Additional Resources

You will start by getting your environment ready to create a custom admission controller. You wiil install the awscli, kubernetes-cli, and terraform packages from Homebrew. Next, you will take the supplied Terraform code and deploy an EKS cluster using Terraform. You will then take the supplied Go code and build your validating webhook. You will then build your Docker image and push it to Docker Hub. After the push is completed, you will then deploy cert manager and create the certs for your webhook. You will next modify the supplied Terraform code and use you Docker image and deploy your validating webhook to your cluster using Terraform. Finally, you will create some test Pods called test-app-1, test-app-2, and test-app-3 that you will use to test the dynamic admission controllers functionality to confirm it is working. You will need to give test-app-2 the label hello = "world" and give test-app-3 the label hello = "universe".

Lab Resources

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?