Webhook

Kube-OVN supports allocation static IP addresses along with dynamical addresses which means we should hold static IP addresses don’t allow others using it.

Pre-request

  • Kube-OVN without webhook
  • Cert-Manager

To install

The webhook needs https so we using cert-manager here to generate the certificate. Normally cert-manager doesn’t use hostNetwork so it needs CNI to allocate IP addresses. As a result, we should install ovn, kube-ovn, cert-manager before webhook.

Example:
Assume you have two deployments have ip conflict.

deployment1.yaml

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   namespace: ovn-test
  5.   name: starter-backend1
  6.   labels:
  7.     app: starter-backend1
  8. spec:
  9.   replicas: 2
  10.   selector:
  11.     matchLabels:
  12.       app: starter-backend1
  13.   template:
  14.     metadata:
  15.       labels:
  16.         app: starter-backend1
  17.       annotations:
  18.         ovn.kubernetes.io/ip_pool: 10.16.0.15,10.16.0.16
  19.     spec:
  20.       containers:
  21.       - name: backend
  22.         image: nginx:alpine
  1. # kubectl create -f deployment1.yaml
  2. deployment.apps/starter-backend1 created

deployment2.yaml

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   namespace: ovn-test
  5.   name: starter-backend2
  6.   labels:
  7.     app: starter-backend2
  8. spec:
  9.   replicas: 2
  10.   selector:
  11.     matchLabels:
  12.       app: starter-backend2
  13.   template:
  14.     metadata:
  15.       labels:
  16.         app: starter-backend2
  17.       annotations:
  18.         ovn.kubernetes.io/ip_pool: 10.16.0.15,10.16.0.16
  19.     spec:
  20.       containers:
  21.       - name: backend
  22.         image: nginx:alpine
  1. # kubectl create -f deployment2.yaml
  2. Error from server (overlap): error when creating "deployment2.yaml": admission webhook "pod-ip-validaing.kube-ovn.io" denied the request: overlap