A simple Kubernetes Mutating Admission Webhook written in Rust. It automatically injects an additional port definition into container specs based on annotation.
This webhook watches for Pod creation events and, if the Pod contains the annotation:
syscallx86.com/container-port-injector: "true"it adds a container port (for example a metrics port) into the Pod specification.
This is useful when you need to expose internal ports (e.g., injected Envoy sidecars in Consul service mesh) without modifying deployment manifests directly.
mutate-webhook-rs [OPTIONS]
Options:
-c, --config <CONFIG> Path to configuration file
-h, --help Print help
-V, --version Print versionExample:
mutate-webhook-rs -c contrib/config.yamlExample config file (contrib/config.yaml):
addr: "0.0.0.0"
port: 8443
log: "console"
tls_cert: "/tmp/cert.pem"
tls_key: "/tmp/cert.key"
container_patch:
name: "simple-api"
port_name: "metrics"
port_number: 9101- addr / port – address and port where the webhook listens
- log – logging backend (
console) - tls_cert / tls_key – filesystem paths to the TLS certificate and key
- container_patch
name: name of the container to mutateport_name: name of the injected portport_number: container port number to inject
Mutation happens only when the Pod includes the annotation:
metadata:
annotations:
syscallx86.com/container-port-injector: "true"In the contrib/ directory:
config.yaml– sample configurationself-signed.sh– script to generate a self‑signed TLS certificate
In the deploy/ directory:
mutatingwebhook.yaml– exampleMutatingWebhookConfiguration
Deploy the webhook Pod and apply the manifest to register it with the Kubernetes API server.
make build- 0.7.0
- Initial public release
This project is licensed under the MIT License - see the LICENSE file for details.
Built with: