kubernetes-sigs · pwittrock · Jan 2, 2019 · Jan 4, 2019 · Jan 4, 2019 · Jan 14, 2019
diff --git a/base/kustomization.yaml b/base/kustomization.yaml
@@ -0,0 +1,15 @@
+# Requires: kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user USER
+apiVersion: v1beta1
+kind: Kustomization
+
+resources:
+- rbac.yaml
+- manager.yaml
+
+vars:
+- fieldref: {}
+  name: WEBHOOK_SECRET_NAME
+  objref:
+    apiVersion: v1
+    kind: Secret
+    name: webhook-server-secret
diff --git a/base/manager.yaml b/base/manager.yaml
@@ -0,0 +1,79 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: controller-manager-service
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+spec:
+  selector:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  ports:
+  - port: 443
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      controller-tools.k8s.io: "1.0"
+  serviceName: controller-manager-service
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: 'true'
+      labels:
+        control-plane: controller-manager
+        controller-tools.k8s.io: "1.0"
+    spec:
+      containers:
+      - command:
+        - /manager
+#        - --v=10
+        - --logtostderr
+        image: controller:latest
+        imagePullPolicy: Always
+        name: manager
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: SECRET_NAME
+            value: $(WEBHOOK_SECRET_NAME)
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        ports:
+        - containerPort: 9876
+          name: webhook-server
+          protocol: TCP
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/cert
+          name: cert
+          readOnly: true
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webhook-server-secret
diff --git a/base/rbac.yaml b/base/rbac.yaml
@@ -0,0 +1,53 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: webhook-manager-role
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations # for managing webhooks
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - secrets # for managing webhooks
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: webhook-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: webhook-manager-role
+subjects:
+- kind: ServiceAccount
+  name: default
diff --git a/example/main.go b/example/main.go
@@ -84,7 +84,8 @@ func main() {
 		Name("mutating.k8s.io").
 		Mutating().
 		Operations(admissionregistrationv1beta1.Create, admissionregistrationv1beta1.Update).
-		WithManager(mgr).
+		WithScheme(mgr.GetScheme()).
+		WithRestMapper(mgr.GetRESTMapper()).
 		ForType(&corev1.Pod{}).
 		Handlers(&podAnnotator{}).
 		Build()
@@ -97,7 +98,8 @@ func main() {
 		Name("validating.k8s.io").
 		Validating().
 		Operations(admissionregistrationv1beta1.Create, admissionregistrationv1beta1.Update).
-		WithManager(mgr).
+		WithScheme(mgr.GetScheme()).
+		WithRestMapper(mgr.GetRESTMapper()).
 		ForType(&corev1.Pod{}).
 		Handlers(&podValidator{}).
 		Build()
@@ -107,9 +109,9 @@ func main() {
 	}
 
 	entryLog.Info("setting up webhook server")
-	as, err := webhook.NewServer("foo-admission-server", mgr, webhook.ServerOptions{
-		Port:                          9876,
-		CertDir:                       "/tmp/cert",
+	as, err := webhook.NewServer("foo-admission-server", webhook.ServerOptions{
+		Port:    9876,
+		CertDir: "/tmp/cert",
 		DisableWebhookConfigInstaller: &disableWebhookConfigInstaller,
 		BootstrapOptions: &webhook.BootstrapOptions{
 			Secret: &apitypes.NamespacedName{
@@ -126,7 +128,7 @@ func main() {
 				},
 			},
 		},
-	})
+	}, mgr.GetRESTMapper(), mgr.GetScheme())
 	if err != nil {
 		entryLog.Error(err, "unable to create a new webhook server")
 		os.Exit(1)

diff --git a/example2/Dockerfile b/example2/Dockerfile
@@ -0,0 +1,17 @@
+# Build the manager binary
+FROM golang:1.10.3 as builder
+
+# Copy in the go src
+WORKDIR /go/src/sigs.k8s.io/controller-runtime/
+COPY pkg/    pkg/
+COPY example2/    example2/
+COPY vendor/ vendor/
+
+# Build
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager ./example2
+
+# Copy the controller-manager into a thin image
+FROM ubuntu:latest
+WORKDIR /
+COPY --from=builder /go/src/sigs.k8s.io/controller-runtime/manager .
+ENTRYPOINT ["/manager"]
diff --git a/example2/config/crew_namespace.yaml b/example2/config/crew_namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  name: crew-system
diff --git a/example2/config/firstmate_crd.yaml b/example2/config/firstmate_crd.yaml
@@ -0,0 +1,27 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  # name must match the spec fields below, and be in the form: <plural>.<group>
+  name: firstmates.crew.example.com
+spec:
+  # group name to use for REST API: /apis/<group>/<version>
+  group: crew.example.com
+  # list of versions supported by this CustomResourceDefinition
+  versions:
+  - name: v1
+    # Each version can be enabled/disabled by Served flag.
+    served: true
+    # One and only one version must be marked as the storage version.
+    storage: true
+  # either Namespaced or Cluster
+  scope: Namespaced
+  names:
+    # plural name to be used in the URL: /apis/<group>/<version>/<plural>
+    plural: firstmates
+    # singular name to be used as an alias on the CLI and for display
+    singular: firstmate
+    # kind is normally the CamelCased singular type. Your resource manifests use this.
+    kind: FirstMate
+    # shortNames allow shorter string to match your resource on the CLI
+    shortNames:
+      - fm
diff --git a/example2/config/kustomization.yaml b/example2/config/kustomization.yaml
@@ -0,0 +1,21 @@
+# Requires: kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user USER
+apiVersion: v1beta1
+kind: Kustomization
+
+# Adds namespace to all resources.
+namespace: crew-system
+
+bases:
+- ../../base
+
+resources:
+- firstmate_crd.yaml
+- manager_rbac.yaml
+- crew_namespace.yaml
+
+patchesStrategicMerge:
+- manager_image_patch.yaml
+
+imageTags:
+  - name: pwittrock/controller-manager
+    newTag: v1
diff --git a/example2/config/manager_image_patch.yaml b/example2/config/manager_image_patch.yaml
@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - image: pwittrock/controller-manager
+        name: manager
diff --git a/example2/config/manager_rbac.yaml b/example2/config/manager_rbac.yaml
@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+  - apiGroups:
+      - apps
+      - crew.example.com
+    resources:
+      - deployments
+      - deployments/status
+      - firstmates
+      - firstmates/status
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+  - kind: ServiceAccount
+    name: default