Skip to content

koudaiii/monban

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
certs
certs
 
 
example
example
 
 
kubernetes
kubernetes
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Gopkg.lock
Gopkg.lock
 
 
Gopkg.toml
Gopkg.toml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
config.go
config.go
 
 
main.go
main.go
 
 
scheme.go
scheme.go
 
 

Repository files navigation

monban 門番

Monban(門番) is simple managing locked deployments by Admission Webhooks in a namespace.

Build Status Docker Repository on Quay GitHub release

Description

When you need to lock deployments. Monban(門番) can lock deployments in a namespace. Monban(門番) is valid at the time of the following situations.

  • for Maintenance
  • for Code-freeze
  • for recovery operations in Production

Please refer to Admission Webhooks and the implementation of the admission webhook server.

Table of Contents

Requirements

# for Mac
$ brew install cfssl # for make cert files
$ brew install kubernetes-cli # for deploy to kubernetes

Installation

  1. Setup RBAC (ex. https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/)
  2. Monban(門番) deploy to k8s.
$ make deploy

Check deploy

$ kubectl get deployment monban -n default
NAME     DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
monban   1         1         1            1           21h

$ kubectl logs deployment/monban -f -n default
2018/12/19 05:26:03 Starting monban...

Usage

Example: How to lock deployments in a namespace

Monban enabled

$ kubectl annotate namespace/default koudaiii/monban=enabled
namespace/default annotated

Check lock

$ kubectl patch deployment/nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
Error from server: admission webhook "monban.default.service" denied the request: nginx-test is locked in default.
If you unlock, Please run command `kubectl annotate namespace/default koudaiii/monban-`

locking deployment 👌

Example: How to unlock deployment in a namespace

Monban disabled

$ kubectl annotate namespace/default koudaiii/monban-
namespace/default annotated

Check unlock

$ kubectl patch deployment/nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
deployment.extensions/nginx-test patched

$ kubectl get po
nginx-test-56f766d96f-7qd4x            1/1     Running             0          2d
nginx-test-56f766d96f-8tgfn            1/1     Running             0          2d
nginx-test-56f766d96f-bwltr            0/1     Terminating         0          2d
nginx-test-56f766d96f-cfrpd            1/1     Running             0          2d
nginx-test-56f766d96f-k55jn            1/1     Running             0          2d
nginx-test-56f766d96f-rzd2j            1/1     Running             0          2d
nginx-test-56f766d96f-vvlb8            1/1     Running             0          2d
nginx-test-8595c7fdbd-642bn            1/1     Running             0          10s
nginx-test-8595c7fdbd-7m72g            1/1     Running             0          10s
nginx-test-8595c7fdbd-dgtqn            0/1     ContainerCreating   0          4s
nginx-test-8595c7fdbd-h6rqg            1/1     Running             0          6s
nginx-test-8595c7fdbd-hfml7            0/1     ContainerCreating   0          1s

unlocked deployment 👌

in minikube

  1. Setup minikube.
  2. Clone this repository and build using make.
$ minikube start
$ minikube update-context
$ make deploy
  1. Create User RBAC

Set context

$ kubectl config set-credentials koudaiii --client-certificate=$HOME/.minikube/client.crt --client-key=$HOME/.minikube/client.key
$ kubectl config set-context koudaiii-context --cluster=minikube --namespace=default --user=koudaiii
# Check
$ kubectl --context=koudaiii-context get pods

Set RBAC

$ kubectl apply -f example/user.yaml
  1. Deploy sample app
$ kubectl --context=koudaiii-context run --image nginx nginx-test
$ kubectl --context=koudaiii-context get pods
  1. Check Monban(門番)

Reload

$ kubectl --context=koudaiii-context patch deployment nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
deployment.extensions/nginx-test patched

$ kubectl get po
NAME                          READY   STATUS              RESTARTS   AGE
monban-84647c5bbc-p4ntj       1/1     Running             0          12m
nginx-test-5cb5969668-2j5qn   1/1     Running             0          1m
nginx-test-7499b7747-mvdf7    0/1     ContainerCreating   0          3s

Monban enabled

$ kubectl --context=koudaiii-context annotate namespace/default koudaiii/monban=enabled
namespace/default annotated

$ kubectl --context=koudaiii-context patch deployment nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
Error from server: admission webhook "monban.default.service" denied the request: nginx-test is locked in default.
If you unlock, Please run command `kubectl annotate namespace/default koudaiii/monban-`

Monban disable

$ kubectl annotate namespace/default koudaiii/monban-
namespace/default annotated

$ kubectl --context=koudaiii-context patch deployment nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
deployment.extensions/nginx-test patched

Contribution

  1. Fork (https://github.com/koudaiii/monban/fork)
  2. Create a feature branch
  3. Commit your changes
  4. Rebase your local changes against the master branch
  5. Run test suite with the go test ./... command and confirm that it passes
  6. Run gofmt -s
  7. Create a new Pull Request

Author

koudaiii

License

MIT License

About

When you need to lock deployments. Monban(門番) can lock deployments in a namespace.

Topics

kubernetes kubernetes-deployment admission-webhook

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Initial development release Latest
Dec 20, 2018

Packages

 
 
 

Contributors

Languages