KubeMod is a universal Kubernetes resource mutator.
It allows you to deploy to your Kubernetes cluster a set of declarative rules which will perform targeted modifications to any Kubernetes resource at the time the resource is being created or updated.
KubeMod is an implementation of a Kubernetes Operator.
To install KubeMod, run:
kubectl apply -f https://github.com/kubemod/kubemod/blob/v0.4.0/bundle.yamlTo uninstall KubeMod, run:
kubectl delete -f https://github.com/kubemod/kubemod/blob/v0.4.0/bundle.yamlOnce KubeMod is deployed, you can create ModRules which monitor for specific resources and perform modifications on them.
For example, here's a ModRule which enforces a securityContext and adds annotation my-annotation to any Deployment
resource whose app label equals nginx and includes a container of any subversion of nginx 1.14.
apiVersion: api.kubemod.io/v1beta1
kind: ModRule
metadata:
name: my-modrule
spec:
type: Patch
matches:
# Match deployments ...
- query: '$.kind'
value: 'Deployment'
#... with label app=nginx ...
- query: '$.metadata.labels.app'
regex: 'nginx'
#... and containers whose image matches nginx:1.14.*
- query: '$.spec.template.spec.containers[*].image'
regex: 'nginx:1\.14\..*'
patch:
# Add custom annotation.
- op: add
path: /metadata/annotations/my-annotation
value: whatever
# Enforce non-root securityContext and make nginx run as user 101.
- op: add
path: /spec/template/spec/securityContext
value: |-
fsGroup: 101
runAsGroup: 101
runAsUser: 101
runAsNonRoot: trueSave the above to file my-modrule.yaml and run:
kubectl apply -f my-modrule.yamlThis will create ModRule my-modrule in the current default namespace.
After the ModRule is created, the creation of any nginx Kubernetes Deployment resource in the same namespace will be intercepted by KubeMod and if
the Deployment resource matches all the queries in the ModRule's matches section the resource will be patched with the patch operations before
it is actually deployed to Kubernetes.
See more examples of ModRules here.
Contributions are greatly appreciated! Leave an issue or create a PR.
- kubebuilder (2.3.1) (https://book.kubebuilder.io/quick-start.html)
- kustomize (3.8.1) (https://kubernetes-sigs.github.io/kustomize/installation/binaries/)
- cfssl (https://gist.github.com/tirumaraiselvan/b7eb1831d25dd9d59a785c11bd46c84b)
- telepresence (https://www.telepresence.io/)
- wire (https://github.com/google/wire)
Build the image once:
make docker-buildthen deploy the whole shebang and start telepresence which will swap out the kubemod controller with your local host environment:
make deploy
dev-env.sh
At this point you can develop/debug kubemod locally.